feat: add mitigation for the d(HE)ater DoS attack via ssh #19803
Conversation
|
Having to maintain these cipher/kex lists will be an additional maintenance burden. What is the stance of OpenSSH regarding this CVE? Is it or are they planning a fix? If yes, I suggest we just update openssh via alpine (which is 3.16 now) and leave those ciphers at their default. |
GiteaBot
added
the
lgtm/need 2
|
From what I could find OpenSSH will not fix this in future releases (https://www.mail-archive.com/[email protected]/msg15476.html), I agree that this list is painful, and it could be reduced to just the change in line 26 since the other lines are extra hardening, not related to the CVE (CVE-2002-20001 btw), but will still be painful. Anyway, if you believe keeping just line 26 I'm fine to update the PR if you still believe it's not worth maintaining I can drop the PR too. Thanks for your time :) |
|
There could be a configurable option like Update: since there are quite a few options, maybe it's better to introduce a general config for |
This looks like an awesome idea, I will take a look at it and update this PR, thanks @wxiaoguang |
|
Closing this PR as #19842 replaces it |
Hi,
This PR adds SSHd configuration to mitigate the ssh d(HE)eater DoS attack, the mitigation consists in disabling a Diffie-Hellman Key Exchange algorithm (diffie-hellman-group1-sha1), more details can be found at https://github.com/Balasys/dheater
It also applies some ssh hardening from https://www.ssh-audit.com/hardening_guides.html namely settings a hardened list of Key Exchange Algorithms, Ciphers, HostKeyAlgorithms and Message Authentication Code Algorithms.
Please let me know if you need any more clarification.